Have you been the victim of an APT?: Identifying and protecting against an attack

Many company administrators and IT leaders believe that their enterprise’s security system is infallible, and will be able to detect any threat that comes their way. While many businesses have multi-layered, advanced protection technology in place, when it comes to an infection or cyber attack, the rule of thumb is to never say never.

Different organizations are attractive targets for cybercriminals for a variety of different reasons: the information they store is valuable, they are being used as a middle point to attack another group, hackers are simply attempting to siphon funds, the list goes on. But imagine if a black hat was able to slip into an enterprise network undetected and remain there for a considerable amount of time. Just consider the damage that could be done and the information compromised, all while the business carries on as usual without recognizing the threat.

When a company has been the victim of an advanced persistent threat, this is exactly what takes place. Oftentimes, even the most extensive security systems are unable to identify and alert key employees to the presence of an APT. Therefore, IT administrators and engineers must understand what to look for in order to effectively recognize the launch of an APT, or an existing one within the network. With this knowledge, the enterprise is better prepared to deal with an attack when and if one takes place, and prevent them in the future.

Who is a target for an APT?
The first step in prevention is to understand what puts a specific organization at risk for an APT attack. According to Security Magazine contributor Trevor Kennedy, some industries have historically been the focus for APT intrusions, including government groups, oil and energy companies, broadcasters or those in the power generation sector. This, however, does not mean that businesses outside of these industries are safe.

Kennedy noted that there are several situations in which a company could be targeted for an APT attack, including when they are a third-party provider for another, higher-profile organization. Oftentimes, hackers will leverage external third parties as a stepping stone to reach the target organization. For example, in the well-known Target breach, cybercriminals first targeted the HVAC company the retailer had contracted, infiltrating this provider to gain the credentials and information needed to attack the retail chain.

How can I tell if an APT attack has taken place?
It is imperative that key IT staff know what types of activity can signal the presence of an APT within the network. By identifying the first signs of an intrusion, the IT team can work to respond to the threat and mitigate its damages.

InfoWorld contributor and security adviser Roger Grimes noted that there are a few main signs IT leaders can look for to determine if they’ve been hit with an APT.

An increase in log-ons from accounts with higher privileges late at night: Grimes noted that oftentimes, APT attackers will breach an authentication database and target the credentials with the highest permissions. An increase in these log-ins long after the business has closed for the day can signal the presence of an APT hacker.

Backdoor Trojans: Hackers leveraging APTs tend to deploy backdoor Trojans to ensure that even if they credentials they’ve stolen are changed, they can always get back into the network if they choose. The presence of widespread backdoor Trojan programs are one of the leading signs of APT infection.

Suspicious information flows: Grimes noted that one of the best ways to identify an APT is to check for large, unexpected information flows from internal network points to other internal or external machines. In order to best recognize these information flows, the IT team must have a deep understanding of the network’s typical information flows so they can spot the differences.

Unexpected data bundles: Similar to information flows, atypical data bundles can also signal an APT attack.
“Look for large (we’re talking gigabytes, not megabytes) chunks of data appearing in places where that data should not be, especially if compressed in archived formats not normally used by your company,” Grimes advised.

Pass-the-hash hacking tools: Grimes noted that while not all APTs utilize pass-the-hash hacking tools, they do creep up somewhat often. Additionally, many hackers forget to delete these tools, so their emergence in the network is some of the surest, most concrete evidence of attack.

Understanding current threats: Knowledge is power
Overall, one of the best ways to identify and help prevent an APT intrusion is with knowledge about current threats and a full understanding of regular activity taking place in the network. When the IT team has a baseline of network occurrences and can efficiently identify activity that is suspicious or out of the ordinary, they can work quickly to adapt protection and prevent further intrusion.

In addition, having knowledge about the latest threats being currently utilized by hackers can bolster these prevention efforts. Grimes noted that not all APTs will have the same symptoms, so knowing what the latest threat looks like and how it will act within the network is one of the best ways to recognize and stop an attack in its tracks.